Client endpoint systems are a prime target for attackers of every sophistication level. These systems take part in many transactions demanding a degree of trust that can no longer be placed on a general-purpose, commodity, computer system.
In 1985, the Department of Defense Trusted Computer System Evaluation Criteria defined a “trusted path” as “[a] mechanism by which a person at a terminal can communicate directly with the Trusted Computing Base. This mechanism can only be activated by the person or the Trusted Computing Base and cannot be imitated by untrusted software.”
In 1998, Loscocco et al., recognized the abandonment of the ability to support a trusted path and Mandatory Access Control (MAC) in prevailing commercial operating systems, but reiterated the importance of these mechanisms, warning of “the inevitability of failure” in their absence. [Loscocco, P. A., Smalley, S. D., Muckelbauer, P. A., Taylor, R. C., Turner, S. J., and Farrell, J. F. The inevitability of failure: The flawed assumption of security in modern computing environments. In Proceedings of the 21st National Information Systems Security Conference (1998), pp. 303-314.]
By 2008, commercial operating systems had much better capabilities to support MAC, but still no reliable mechanism to support a trusted path for use in authenticating users. In a 2008 position paper, Laurie and Singer suggested that it was no longer realistic to expect an operating system (“OS”) to maintain its full functionality and flexibility while also being able to provide a trusted path. [Laurie, B., and Singer, A. Choose the red pill and the blue pill. In NSPW '08 (Lake Tahoe, Calif., September 2008).]
Further exacerbating the issue is today's explosive growth of the Internet and networked computing. There are many remote services that depend on an ability to securely authenticate a transaction on behalf of a user. Online banking requires the guarantee that transfer of funds be initiated by the legitimate owner of the account. In system administration there is a need to securely manage the configuration of devices such as routers or virtualization servers, which can affect thousands of users. In classified networks there is the need to initiate file transfers between classification domains. But in all of these cases, without a trusted path the server cannot know the client is not compromised and controlled by a malicious agent. Without a trusted path, compromised endpoint systems have facilitated identity theft, bank fraud, and the theft of user credentials. [Aaron, G. The state of phishing. Computer Fraud & Security 2010, 6 (2010), 5-8.]
Despite these vulnerabilities, servers continue to trust the client's operating environment and assume that all requests are initiated by the user, rather than assume that the client system is compromised.